Changeset 22660


Ignore:
Timestamp:
05/14/13 10:04:33 (5 years ago)
Author:
plg
Message:

feature 2899: ability to allow HTML in EXIF/IPTC (disabled by default)

Location:
branches/2.5/include
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/2.5/include/config_default.inc.php

    r21187 r22660  
    374374  'date_creation' => 'DateTimeOriginal' 
    375375  ); 
     376 
     377// allow_html_in_metadata: in case the origin of the photo is unsecure (user 
     378// upload), we remove HTML tags to avoid XSS (malicious execution of 
     379// javascript) 
     380$conf['allow_html_in_metadata'] = false; 
    376381 
    377382// +-----------------------------------------------------------------------+ 
  • branches/2.5/include/functions_metadata.inc.php

    r19703 r22660  
    3131function get_iptc_data($filename, $map) 
    3232{ 
     33  global $conf; 
     34   
    3335  $result = array(); 
    3436 
     
    6163          foreach (array_keys($map, $iptc_key) as $pwg_key) 
    6264          { 
    63             // in case the origin of the photo is unsecure (user upload), we 
    64             // remove HTML tags to avoid XSS (malicious execution of 
    65             // javascript) 
    66             $result[$pwg_key] = strip_tags($value); 
     65            $result[$pwg_key] = $value; 
     66 
     67            if (!$conf['allow_html_in_metadata']) 
     68            { 
     69              // in case the origin of the photo is unsecure (user upload), we 
     70              // remove HTML tags to avoid XSS (malicious execution of 
     71              // javascript) 
     72              $result[$pwg_key] = strip_tags($result[$pwg_key]); 
     73            } 
    6774          } 
    6875        } 
     
    113120function get_exif_data($filename, $map) 
    114121{ 
     122  global $conf; 
     123   
    115124  $result = array(); 
    116125 
     
    144153  } 
    145154 
    146   foreach ($result as $key => $value) 
     155  if (!$conf['allow_html_in_metadata']) 
    147156  { 
    148     // in case the origin of the photo is unsecure (user upload), we remove 
    149     // HTML tags to avoid XSS (malicious execution of javascript) 
    150     $result[$key] = strip_tags($value); 
     157    foreach ($result as $key => $value) 
     158    { 
     159      // in case the origin of the photo is unsecure (user upload), we remove 
     160      // HTML tags to avoid XSS (malicious execution of javascript) 
     161      $result[$key] = strip_tags($value); 
     162    } 
    151163  } 
    152164 
Note: See TracChangeset for help on using the changeset viewer.